天琊(ya)V1.0 0228(增强保险箱)

chenhui530

这次的应该不会蓝了
非常稳定我已经折磨它一天了还没蓝过

驱动文件还在是故意设计的但是放心所有钩子已经卸载

tawny2008

谢谢陈辉同学的更新，情人节快乐！[:26:]

chenhui530

祝大家情人节快乐~~
没有情人其实也瞒快乐的

evilrabbit

   这个工具很强大

dl123100

用户态钩子扫描貌似有些bug。
自我保护有点强。
随便恢复下hook、access memeory之类的就蓝了。

chenhui530

原帖由 dl123100 于 2009-2-14 21:31 发表
用户态钩子扫描貌似有些bug。
自我保护有点强。
随便恢复下hook、access memeory之类的就蓝了。

说下怎么蓝的?

dl123100

没事暴力对抗天琊的自我保护，只存了minidump，bugcheck的内容跟下面的差不多。
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {80000003, f4b581ff, f52b5ddc, 0}
Probably caused by : Ch000001.sys ( Ch000001+131ff )
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: 80000003, The exception code that was not handled
Arg2: f4b581ff, The address that the exception occurred at
Arg3: f52b5ddc, Trap Frame
Arg4: 00000000
Debugging Details:
------------------

EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - <Unable to get error code text>
FAULTING_IP:
Ch000001+131ff
f4b581ff ??              ???
TRAP_FRAME:  f52b5ddc -- (.trap 0xfffffffff52b5ddc)
Unable to read trap frame at f52b5ddc
CUSTOMER_CRASH_COUNT:  1
DEFAULT_BUCKET_ID:  DRIVER_FAULT
BUGCHECK_STR:  0x8E
LAST_CONTROL_TRANSFER:  from f4b582a6 to f4b58200
STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
f52b5e4c f4b582a6 8000034c 00000000 81fa3730 Ch000001+0x13200
f52b5f9c 80591488 8000034c 00000000 81fa3730 Ch000001+0x132a6
f52b5fe4 8052f26a 8000034c 00000080 f52b6010 nt!IoGetDeviceObjectPointer+0x5b
f52b6244 f4b51858 81f7e900 f52b6a8c f52b6c04 nt!IoVolumeDeviceToDosName+0xe0
f52b6a94 f4b52ce9 81d40198 f52b6aac 81ebe808 Ch000001+0xc858
f52b6c2c 804e47f7 81fcb020 81d40008 81fc2858 Ch000001+0xdce9
f52b6c3c f8461459 f52b6c68 804e47f7 81fd62b8 nt!IopfCallDriver+0x31
f52b6c44 804e47f7 81fd62b8 81d40008 00038400 sr!SrPassThrough+0x31
f52b6c54 804fac23 818d3da8 81e818e0 81e818f0 nt!IopfCallDriver+0x31
f52b6c68 804fac4a 81fd62b8 81e81909 81e818f8 nt!IopPageReadInternal+0xf4
f52b6c88 804fa8af 81ebe808 81e81918 81e818f8 nt!IoPageRead+0x1b
f52b6cfc 804ea01e 182b2860 5d1acfa0 c01746b0 nt!MiDispatchFault+0x274
f52b6d4c 804e2718 00000000 5d1acfa0 01000001 nt!MmAccessFault+0xc09
f52b6d4c 5d1acfa0 00000000 5d1acfa0 01000001 nt!KiTrap0E+0xcc
0012dba0 00000000 00000000 00000000 00000000 0x5d1acfa0

STACK_COMMAND:  .bugcheck ; kb
FOLLOWUP_IP:
Ch000001+131ff
f4b581ff ??              ???
SYMBOL_NAME:  Ch000001+131ff
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: Ch000001
IMAGE_NAME:  Ch000001.sys
DEBUG_FLR_IMAGE_TIMESTAMP:  0
FAILURE_BUCKET_ID:  0x8E_Ch000001+131ff
BUCKET_ID:  0x8E_Ch000001+131ff
Followup: MachineOwner
---------
kd> .trap 0xfffffffff52b5ddc
Unable to read trap frame at f52b5ddc

小v可

有更新了！

平常心

又更新了，支持一下

405942873

建议添加快捷键.F5刷新进程~

虽然我用天琊还是会挂死.QQ中和你说了~不知道为啥.

还是帮顶.好好做~争取成为冰刃,wsys和狙剑.之外另一个选择~